Database Group Mappings
Group Mapping by External User Database
User Guide for Cisco Secure ACS for Windows Server
12-12
You can map an external database to a Cisco Secure ACS group. Unknown users
who authenticate using the specified database automatically belong to, and inherit
the authorizations of, the group. For example, you could configure
Cisco Secure ACS so that all unknown users who authenticate with a certain
token server database belong to a group called Telecommuters. You could then
assign a group setup that is appropriate for users who are working away from
home, such as MaxSessions=1. Or you could configure restricted hours for other
groups, but give unrestricted access to Telecommuters group members.
While you can configure Cisco Secure ACS to map all unknown users found in
any external user database type to a single Cisco Secure ACS group, the following
external user database types are the external user database types whose users you
can only map to a single Cisco Secure ACS group:
ODBC
•
LEAP Proxy RADIUS server
•
•
ActivCard token server
PassGo token server
•
CRYPTOCard token server
•
•
RADIUS token server
RSA SecurID token server
•
•
SafeWord token server
Vasco token server
•
For a subset of the external user database types listed above, group mapping by
external database type is overridden on a user-by-user basis when the external user
database specifies a Cisco Secure ACS group with its authentication response.
Cisco Secure ACS supports specification of group membership for the following
external user database types:
•
LEAP Proxy RADIUS server
ActivCard token server
•
•
CRYPTOCard token server
RADIUS token server
•
Vasco token server
•
Chapter 12
Administering External User Databases
78-14696-01, Version 3.1